{"id":609374,"date":"2023-02-18T07:49:16","date_gmt":"2023-02-18T13:49:16","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/02\/18\/royal-mail-refused-to-pay-66m-lockbit-ransom-demand-logs-reveal\/"},"modified":"2023-02-18T07:49:16","modified_gmt":"2023-02-18T13:49:16","slug":"royal-mail-refused-to-pay-66m-lockbit-ransom-demand-logs-reveal","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/02\/18\/royal-mail-refused-to-pay-66m-lockbit-ransom-demand-logs-reveal\/","title":{"rendered":"Royal Mail refused to pay \u00a366m LockBit ransom demand, logs reveal"},"content":{"rendered":"<div>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.computerweekly.com\/visuals\/ComputerWeekly\/Hero Images\/Post-Office-Royal-mail-box-adobe_searchsitetablet_520X173.jpg\" data-credit=\"Mr Doomits - stock.adobe.com\"  width=\"520\" height=\"173\" alt><\/p>\n<p>Mr Doomits &#8211; stock.adobe.com<\/p>\n<\/p><\/div>\n<div id=\"content-header\">\n<h2>Leaked chat logs reveal Royal Mail has supposedly refused to pay a \u00a366m ransom demand from the LockBit ransomware gang<\/h2>\n<\/div>\n<div id=\"content-center\">\n<ul>\n<li><i data-icon=\"1\"><\/i><\/li>\n<li><i data-icon=\"2\"><\/i><\/li>\n<\/ul>\n<div id=\"contributors-block\">\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"Alex Scroxton\">\n\t\t\t\t\t<\/p>\n<p><span>By<\/span><\/p>\n<ul>\n<li>\n\t\t\t\t\t<a href=\"https:\/\/www.techtarget.com\/contributor\/Alex-Scroxton\">Alex Scroxton,<\/a><br \/>\n\t\t\t\t\t\t<span>Security Editor<\/span>\n\t\t\t\t\t\t<\/li>\n<\/ul>\n<p>\n\tPublished: <span>15 Feb 2023 12:30<\/span>\n<\/p>\n<\/div>\n<section id=\"content-body\">\n<p>Royal Mail has supposedly rebuffed an $80m (\u00a366m) ransom demand <a href=\"https:\/\/www.computerweekly.com\/news\/365530169\/LockBit-cartel-finally-claims-Royal-Mail-ransomware-attack\">from the LockBit ransomware gang<\/a>, saying \u201cunder no circumstances\u201d would it pay \u201cthe absurd amount of money\u201d demanded.<\/p>\n<p>This is according to what appear to be chat logs leaked by LockBit, published on 14 February, that detail weeks of in-depth negotiations between LockBit and its victim, <a href=\"https:\/\/www.computerweekly.com\/news\/252529095\/Royal-Mail-overseas-services-hit-by-major-cyber-attack\">which was attacked on 10 January<\/a>.<\/p>\n<p>Over a month later, Royal Mail remains <a href=\"https:\/\/www.royalmail.com\/international-incident-bulletin\">unable to provide a full international postal service<\/a>, although it has been steadily bringing parts of its operation back online in the interim.<\/p>\n<p>On 28 January, the logs show Royal Mail\u2019s negotiator told LockBit\u2019s representative: \u201cWe have repeatedly tried to explain to you we are not the large entity you have assumed we are, but rather a smaller subsidiary without the resources you think we have. But you continue to refuse to listen to us. This is an amount that could never be taken seriously by our board.\u201d<\/p>\n<p>On 1 February, the logs show LockBit\u2019s representative offered a 12.5% discount, which would have dropped the ransom demand to approximately \u00a347.1m. At this point, LockBit\u2019s representative appears to have grown increasingly frustrated with Royal Mail\u2019s negotiator, berating them for taking their time in responding, and asking them why they had \u201csuch a long chain of middlemen\u201d and why they could not just talk directly to management. They also told Royal Mail that \u201cjournalists are asking me why I haven\u2019t published your information \u2026 they really want to see your files\u201d.<\/p>\n<p>The gang sent its final messages between 7 and 9 February, stating that the data was \u201cready to be published\u201d and the decryptor was \u201cready to be deleted\u201d, before asking, \u201cDo you have any offer for me?\u201d at which point the conversation cuts off.<\/p>\n<p>A Royal Mail spokesperson declined to confirm the accuracy of the logs. \u201cAs there is an ongoing investigation, law enforcement has advised that it would be inappropriate to make any further comment on this incident,\u201d they said.<\/p>\n<section data-menu-title=\"Lengthy negotiation\">\n<h3><i data-icon=\"1\"><\/i>Lengthy negotiation<\/h3>\n<p>The logs appear to show that Royal Mail first made contact with the ransomware gang on 12 January, and was able to obtain proof of some data theft, a process that appears to have been dragged out to 21 January, two days after the postal service was able to implement some technical workarounds that bypassed the encrypted systems <a href=\"https:\/\/www.computerweekly.com\/news\/252529371\/International-post-resumes-thanks-to-Royal-Mail-workarounds\">and enabled it to resume parts of its operations<\/a>.<\/p>\n<p>The negotiator told LockBit that some of the files encrypted pertained to the shipment of lifesaving medical equipment, but LockBit refused this request, stating that Royal Mail was making multi-billion dollar profits \u2013 this is not true \u2013 and was being greedy and trying to get something for nothing.<\/p>\n<p>They also told Royal Mail that the ransom demand was substantially less than the maximum regulatory fines it could face from the UK authorities over a data breach.<\/p>\n<p>\u201cWe are all suffering from the global crisis and our income has fallen as much as yours \u2026 you are hundreds of times richer than us,\u201d said LockBit\u2019s representative.<\/p>\n<\/section>\n<section data-menu-title=\"Ransomware negotiation\">\n<h3><i data-icon=\"1\"><\/i>Ransomware negotiation<\/h3>\n<p>The full log, which has now been obtained and reviewed by Computer Weekly, reads as a fairly standard ransomware negotiation in which the cyber criminal representative presents their extortion racket as <a href=\"https:\/\/www.computerweekly.com\/news\/252498463\/Retailer-FatFace-pays-2m-ransom-to-Conti-cyber-criminals\">something akin to a legitimate business service<\/a>, such as an organisation might procure from a genuine cyber security company.<\/p>\n<p>The logs also reveal some insight into how ransomware victims are advised to go about conducting a negotiation.<\/p>\n<p>Throughout the process, the supposed Royal Mail negotiator understandably plays for time with a formulaic approach to their answers, advising that they need to communicate various offers to the board, which generally needs a couple of days or a weekend to meet and come to a decision that never seems to arrive.<\/p>\n<p>At times they seem to present themselves as a low-level technical employee who is trying to make their senior leadership understand the scale of the problem.<\/p>\n<p>All of these tactics have a clear effect on proceedings, drawing them out and giving the postal service a fighting chance to mount a more effective response.<\/p>\n<\/section>\n<section data-menu-title=\"Why now?\">\n<h3><i data-icon=\"1\"><\/i>Why now?<\/h3>\n<p>Tim Mitchell, a security researcher at <a href=\"https:\/\/www.secureworks.com\/\">Secureworks<\/a>, who as the organisation\u2019s thematic lead for LockBit has been tracking the ransomware cartel for some time, shared some insight into why the group may have chosen to go public.<b>\u00a0<\/b><\/p>\n<p>\u201cWhen LockBit moves to publish the negotiation conversation it usually happens after the fact, when they have written off any chance of getting paid, to serve as a deterrent to future victims,\u201d he said. \u201cThe message being: \u2018if you don\u2019t pay, we can publish files and share this data, too\u2019. But such a tactic can also leave the door open for further negotiations.<\/p>\n<p>\u201cTwice now, we\u2019ve seen LockBit issue deadlines for publishing data, and no files have been released other than this negotiation conversation. The chat still suggests they have data \u2013 so the questions remain what data do they have and why haven\u2019t they released it? With Royal Mail systems still not up to full operational capacity for international package, what is the ongoing cost to the business?\u201d<br \/>\n  <u5:p><\/u5:p><\/p>\n<p>\n  <u5:p><br \/>\n   Mitchell also noted that the scale of the ransomware demand, one of the highest ever seen, was \u201cvastly unrealistic\u201d on LockBit\u2019s part.<br \/>\n  <\/u5:p><\/p>\n<\/section>\n<\/section>\n<section id=\"DigDeeperSplash\">\n<h4>\n\t\t\t<i data-icon=\"m\"><\/i>Read more on Hackers and cybercrime prevention<\/h4>\n<ul>\n<li><a id=\"DigDeeperItem-1\" href=\"https:\/\/www.computerweekly.com\/news\/365531378\/Financial-advisory-firm-Succession-Wealth-probes-cyber-attack\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/financial-results-chart-graph-4-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/financial-results-chart-graph-4-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/financial-results-chart-graph-4-adobe.jpeg 1280w\" alt ><\/p>\n<h5>Financial advisory firm Succession Wealth probes cyber attack<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-2\" href=\"https:\/\/www.computerweekly.com\/news\/365530169\/LockBit-cartel-finally-claims-Royal-Mail-ransomware-attack\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/Royal-Mail-post-mailbox-getty_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/Royal-Mail-post-mailbox-getty_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/Royal-Mail-post-mailbox-getty.jpg 1280w\" alt ><\/p>\n<h5>LockBit cartel finally claims Royal Mail ransomware attack<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-3\" href=\"https:\/\/www.computerweekly.com\/news\/365530230\/Royal-Mail-branches-still-struggling-after-cyber-attack\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/Royal-Mail-post-mailbox-letter-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/Royal-Mail-post-mailbox-letter-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/Royal-Mail-post-mailbox-letter-adobe.jpg 1280w\" alt ><\/p>\n<h5>Post Office branches struggling after Royal Mail cyber attack<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-4\" href=\"https:\/\/www.computerweekly.com\/news\/365530204\/LockBit-gang-confirms-Ion-cyber-attack-as-disruption-continues\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/HeroImages\/City-of-London-peresanz-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/HeroImages\/City-of-London-peresanz-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/HeroImages\/City-of-London-peresanz-adobe.jpg 1280w\" alt ><\/p>\n<h5>LockBit gang confirms Ion cyber attack as disruption continues<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<\/ul>\n<\/section>\n<\/div>\n<p><a href=\"https:\/\/www.computerweekly.com\/news\/365531392\/Royal-Mail-refused-to-pay-66m-LockBit-ransom-demand-logs-reveal\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Dion Lanz<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mr Doomits &#8211; stock.adobe.com Leaked chat logs reveal Royal Mail has supposedly refused to pay a \u00a366m ransom demand from the LockBit ransomware gang By Alex Scroxton, Security Editor Published: 15 Feb 2023 12:30 Royal Mail has supposedly rebuffed an $80m (\u00a366m) ransom demand from the LockBit ransomware gang, saying \u201cunder no circumstances\u201d would it<\/p>\n","protected":false},"author":1,"featured_media":609375,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31617,36,46],"tags":[],"class_list":{"0":"post-609374","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-refused","8":"category-royal","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/609374","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=609374"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/609374\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/609375"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=609374"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=609374"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=609374"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}